A Shifting Definition of 'Severity'

Microsoft this week issued a study that examines the malicious software threat to Windows computers ... a report clearly written from the software giant's vantage point.

While the report includes some interesting stats about which malware samples were most prevalent on customer machines last year, the most meaningful section of the report focuses on a new development that may force Microsoft to redefine its approach to security.

Microsoft said the number of security bulletins it released in 2007 was 11.5 percent lower than in 2006, and that the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletin (the term "bulletin" is a bit of an artificial construction that does not equate to the total number of vulnerabilities, because Microsoft's "bulletins" often fix multiple security flaws).

If Microsoft issued fewer patches last year, attackers hardly noticed. In 2007, instructions for exploiting security flaws in Windows were available online for nearly one-third of all security vulnerabilities for which the company issued security patches -- roughly unchanged from the percentage of flaws for which exploits were released in 2006, the report notes.

Researchers may be reporting fewer flaws in Microsoft products, but it could also be the case that the very flaws Microsoft is fixing are more perilous than the company first thought.

To wit, the Microsoft report dedicated substantial ink to analyzing the impact of new government-developed standards for rating the severity of software security holes. Microsoft has traditionally tied severity rankings of its patches to rankings developed by the National Institute of Standards and Technology's (NIST) National Vulnerability Database. To determine the severity of a given vulnerability, that database uses a mechanism called the Common Vulnerability Scoring System (CVSS), which assigns numeric values between zero and 10 to vulnerabilities -- according to a combination of factors, with higher scores representing greater severity.

But NVD changed things in June 2007, when it released a 2.0 version of the CVSS in a stated attempt to increase the accuracy and consistency of the scoring system. The NVD then went back and re-computed the CVSS scores for all of the vulnerabilities in its database going back several years.

The unsurprising result is that more security flaws in the NVD have been reclassified with higher severity ratings. This obviously affects a great many Microsoft security flaws, but the Microsoft report did not show how the company's past security bulletins might be modified by this new system. Instead, it included an analysis of how those new standards affect the entire spectrum of vulnerability disclosures made by the larger software industry over the past several years.

While it may seem trivial to go back and compare how previous Microsoft patches rated under both scoring systems, the NVD no longer appears to offer an archive of the ratings it assigned under its previous classification scheme.

At any rate, Microsoft found that with the CVSS Version 1 rating system, the percentage of high-severity, disclosed vulnerabilities reached an all-time high of 15 percent industry-wide in 2007, with low-severity vulnerabilities accounting for roughly 40 percent of vulnerabilities disclosed, and medium-severity vulnerabilities accounting for the remaining 45 percent.

Using the newer version of the CVSS rating system, Microsoft found that high-severity vulnerabilities consistently make up 40-50 percent of vulnerabilities disclosed across the software industry, with low-severity vulnerabilities contributing a much smaller percentage, reaching highs of around 9 percent in 2004 and 2005 and falling to 3.6 percent in 2007.

Central to the question of how Microsoft's vulnerabilities would fare under the new rating system is how such a system might impact the security professionals charged with prioritizing fixes to those flaws. Microsoft long ago reoriented its patch release cycle to better suit the needs of corporate security technicians, who often need to test patches before deploying them to ensure the updates don't break custom software applications.

To that end, Microsoft said that using CVSS Version 1, security administrators have historically been able to focus on the approximately five percent of vulnerabilities rated as the most severe. Under CVSS Version 2, roughly 40 percent of all vulnerabilities are now grouped together in the most severe category. "This translates to a big increase in prospective workload," Microsoft wrote. "Although if 40 percent of vulnerabilities are that severe, it is difficult to justify not treating them as such."

A sizeable portion of the Microsoft report focused on the volume of malware the company is now scrubbing off of Windows systems. Microsoft said its malicious software removal tool (MSRT), which is offered by default whenever Windows users download security updates, removed 40 percent more malicious software from machines in the second half of 2007 than in the first six months.

By the end of 2007, Microsoft's MSRT was running on more than 450 million PCs, the company reported, 15.8 million of which were found to be infected with at least one piece of malware, an 80 percent increase over the first half of 2007.

Microsoft said that over the past year the number of Trojan horse downloader and dropper disinfections has grown from just under 1 million in the second half of 2006 to more than 19 million in the last six months of 2007, and that in during the latter timeframe downloaders accounted for almost half of all the MSRT disinfections worldwide.

By far the most common downloader components removed by the MSRT were related to "Zlob," malware that poses as a media player "codec" that users are told they need to install in order to view videos (almost always of the adult variety). Microsoft said its tool zapped more than 14.3 million instances of Zlob-related malware from machines in the second half of 2007. Zlob bombards victims with pop-up ads and bogus spyware warnings in a bid to trick the victim into paying for rogue/useless security software.

The second most-commonly removed malware (4.26 million infections) was "Win32/Renos," which also tries to trick the victim into buying fake anti-spyware programs. The most prevalent fake security program removed by the MSRT was Winfixer.

Microsoft also noted that while phishing attacks have long been largely an e-mail based scourge, phishing attempts are increasingly being posted to social networks, exploiting the trust that victims place in these networks and in the social contacts they maintain on them.